RHEL9.4安装knock配置ssh

日期：2024.11.3
目的：RHEL9这台物理机打算实现两种登录方式，root只能基于key认证登录；另外一个账户可以用账号密码登录，但是登录端口不开放，通过安装knock server，顺序敲击预设的端口，才开这个能够用账号密码登录的端口。
参照：

• 鸟哥Linux私房菜
  https://linux.vbird.org/linux_server/rocky9/0230sshd.php#10.2.2
• tlanyan大佬的博客文章：设置SSH端口使用不同认证方式
  https://itlanyan.com/ssh-set-port-specific-authentication/
• EPEL源官方配置
  https://docs.fedoraproject.org/en-US/epel/getting-started/

knock是基于epel源的，查看主机是否已经配置了epel

[root@RHEL9 ~]# dnf repolist epel
Updating Subscription Management repositories.
[root@RHEL9 ~]#

参照epel官方配置安装

[root@RHEL9 ~]# subscription-manager repos --enable codeready-builder-for-rhel-9-$(arch)-rpms && dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm

安装knock server

[root@RHEL9 ~]# dnf install -y knock-server

看下knock-server配置文件位置

[root@RHEL9 ~]# rpm -qc knock-server 
/etc/knockd.conf
/etc/sysconfig/knockd

备份一下原来的配置文件

[root@RHEL9 ~]# cp /etc/knockd.conf{,.bak}
[root@RHEL9 ~]# ll /etc/knockd.conf*
-rw-r--r--. 1 root root 303 Jan 25  2022 /etc/knockd.conf
-rw-r--r--. 1 root root 303 Nov  3 00:26 /etc/knockd.conf.bak

先看下防火墙指令能不能跑通，测试添加和移除一个规则，指定IP访问22222端口，然后在写配置文件时把IP地址换成变量%IP%即可

[root@RHEL9 ~]# firewall-cmd --add-rich-rule='rule family="ipv4" source address="192.168.5.253" port protocol="tcp" port="22222" accept'
success
[root@RHEL9 ~]# firewall-cmd --list-rich-rules 
rule family="ipv4" source address="192.168.5.253" port port="22222" protocol="tcp" accept
[root@RHEL9 ~]# firewall-cmd --remove-rich-rule='rule family="ipv4" source address="192.168.5.253" port protocol="tcp" port="22222" accept'
success
[root@RHEL9 ~]# firewall-cmd --list-rich-rules [root@RHEL9 ~]# 

开始编辑配置文件

[root@RHEL9 ~]# vim /etc/knockd.conf
[options]
#UseSyslog
#注释掉上面的使用系统日志，单独起一个日志位置方便调试时观察LogFile       = /var/log/knockd.log
#监听的网卡接口,这里要听master的WANbridge，而不能听slave的enp4s0Interface     = WANbridge
[opencloseSSH]
#敲击端口的顺序,我只设置两个，原因后面会将，其实可以设置多个，只要按照顺序依次敲击就好sequence      = 7777:tcp,8888:tcp
#30秒内依次敲上面端口seq_timeout   = 30
#tcp的syn握手申请tcpflags      = syn 
#添加富规则对敲门的IP开放22222端口start_command = /usr/bin/firewall-cmd --add-rich-rule='rule family="ipv4" source address="%IP%" port protocol="tcp" port="22222" accept'
#20秒端口开放时间cmd_timeout   = 20
#删除富规则关闭22222端口stop_command  = /usr/bin/firewall-cmd --remove-rich-rule='rule family="ipv4" source address="%IP%" port protocol="tcp" port="22222" accept'

关于敲门的方式，有用nmap敲的，有用knock client敲的，我的路由器有IDS入侵检测系统
IDS:intrusion detection system
会把敲门的TCP SYN握手当作入侵扫描给拦截掉，所以nmap和knock client都敲不进去。关闭这个选项可以解决，但是我本意是要增强安全性才安装的knock server，结果为了这个原因反而要关闭入侵检测的一个功能，结果还把安全性给降低了，我认为得不偿失

因此，我选择直接用浏览器敲。直接在浏览器里输入IP地址:端口号就行。例如：221.229.XX.X1:22222
通过浏览器访问这个端口也是会发起TCP SYN握手，只不过有一个问题，knock要求依次敲击，但是浏览器访问的时候会连续敲指定的端口直到手动停止，再通过修改地址栏里的端口号访问下一个指定的端口继续连续敲，如下所示
knock要求：
向7777端口发起TCP SYN连接1次，进入第一阶段
向8888端口发起TCP SYN连接1次，进入第二阶段
向9999端口发起TCP SYN连接1次，进入第三阶段
每个端口依次敲击，开门
浏览器敲门：
访问7777端口，发起TCP SYN连接N次，进入第一阶段，手动停止
访问8888端口，发起TCP SYN连接的第1次，就会进入第二阶段，然后再发起N次连接，直到手动停止
由于很难控制8888端口只敲1次就停，所以很难达到三个端口依次各敲一次的条件，第三阶段几乎无法达成
因此我仅设置两个端口，在二阶段就开门，虽然安全系数低一点，但是相比关闭路由的TCP SYN入侵检测来看，我还是选择这个方案
进入路由器把端口7777和8888转发到本机

tcpdump监听7777端口，然后浏览器输入221.229.XX.X1:7777访问

[root@RHEL9 ~]# tcpdump port 7777
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
02:19:24.639781 IP 221.229.XX.X1.55195 > RHEL9.cbt: Flags [S], seq 495572742, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:19:24.639808 IP 221.229.XX.X1.55196 > RHEL9.cbt: Flags [S], seq 1686601064, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

监听8888端口也一样，先确保敲门信号能够透过路由器来到主机上

[root@RHEL9 ~]# tcpdump port 8888
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on enp4s0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
02:22:20.297021 IP 221.229.XX.X1.55239 > RHEL9.ddi-tcp-1: Flags [S], seq 2212466356, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
02:22:20.297059 IP 221.229.XX.X1.55240 > RHEL9.ddi-tcp-1: Flags [S], seq 2750412576, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0

起服务，tail -f看日志，然后浏览器准备好依次访问7777和8888端口

[root@RHEL9 ~]# systemctl enable --now knockd.service
[root@RHEL9 ~]# tail /var/log/knockd.log -f
[2024-11-03 02:59] starting up, listening on WANbridge
[2024-11-03 03:00] 221.229.XX.X1: opencloseSSH: Stage 1
[2024-11-03 03:00] 221.229.XX.X1: opencloseSSH: Stage 1
[2024-11-03 03:00] 221.229.XX.X1: opencloseSSH: Stage 1
[2024-11-03 03:00] 221.229.XX.X1: opencloseSSH: Stage 2
[2024-11-03 03:00] 221.229.XX.X1: opencloseSSH: OPEN SESAME
[2024-11-03 03:00] opencloseSSH: running command: /usr/bin/firewall-cmd --add-rich-rule='rule family="ipv4" source address="221.229.XX.X1" port protocol="tcp" port="22222" accept'

指令生效，防火墙端口打开
下面进入路由设置转发，之前是设置62222转发到本机22端口，现在新增一条将22222端口转发给本机
想访问主机22端口，就访问公网的62222
想访问主机的22222端口，就访问公网的22222

开始配置ssh实现端口登录限制。先配置ssh监听22222端口，目前ssh只监听默认的22端口

[root@RHEL9 ~]# grep -n \#Port /etc/ssh/sshd_config
21:#Port 22
[root@RHEL9 ~]# cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
[root@RHEL9 ~]# sed -Ei 's/\#Port 22/Port 22/' /etc/ssh/sshd_config
[root@RHEL9 ~]# sed -Ei '/Port 22/a Port 22222' /etc/ssh/sshd_config
[root@RHEL9 ~]# grep -n Port /etc/ssh/sshd_config
21:Port 22
22:Port 22222
101:#GatewayPorts no

重启下服务

[root@RHEL9 ~]# systemctl restart sshd.service 
[root@RHEL9 ~]# ss -tpln
State     Recv-Q    Send-Q       Local Address:Port       Peer Address:Port   Process                            
LISTEN    0         128                0.0.0.0:22              0.0.0.0:*       users:(("sshd",pid=1590,fd=3))    
LISTEN    0         128                   [::]:22                 [::]:*       users:(("sshd",pid=1590,fd=4))    

重启服务后没有监听22222端口，应该是没有配置22222端口的SELinux安全文本的原因

[root@RHEL9 ~]# grep -in selinux /etc/ssh/sshd_config -A1
17:# If you want to change the port on a SELinux system, you have to tell
18:# SELinux about this change.
19-# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER

配置完成，reload也可以生效

[root@RHEL9 ~]# semanage port -a -t ssh_port_t -p tcp 22222
[root@RHEL9 ~]# semanage port -l | grep 22222
ssh_port_t                     tcp      22222, 22
[root@RHEL9 ~]# systemctl reload sshd.service 
[root@RHEL9 ~]# ss -tpln
State     Recv-Q    Send-Q       Local Address:Port        Peer Address:Port   Process                           
LISTEN    0         128                0.0.0.0:22               0.0.0.0:*       users:(("sshd",pid=1590,fd=5))   
LISTEN    0         128                0.0.0.0:22222            0.0.0.0:*       users:(("sshd",pid=1590,fd=3))   
LISTEN    0         128                   [::]:22                  [::]:*       users:(("sshd",pid=1590,fd=6))   
LISTEN    0         128                   [::]:22222               [::]:*       users:(("sshd",pid=1590,fd=4))   

如需移除添加的端口，指令如下

[root@RHEL9 ~]# semanage port -d -p tcp 22222
[root@RHEL9 ~]# semanage port -l | grep ssh
ssh_port_t                     tcp      22

添加两个用户用来测试

[root@RHEL9 ~]# useradd monalisa;echo 'whoisshe' | passwd --stdin monalisa
Changing password for user monalisa.
passwd: all authentication tokens updated successfully.
[root@RHEL9 ~]# useradd davinci;echo 'whoishee' | passwd --stdin davinci
Changing password for user davinci.
passwd: all authentication tokens updated successfully.

目前两个端口应该都能正常登录才对

[root@RHEL9 ~]# ssh -p 62222 monalisa@221.229.XX.X1
monalisa@221.229.XX.X1's password: 
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Mon Nov  4 00:25:47 2024 from 221.229.XX.X1
[monalisa@RHEL9 ~]$ logout
Connection to 221.229.XX.X1 closed.
[root@RHEL9 ~]# ssh -p 22222 monalisa@221.229.XX.X1
monalisa@221.229.XX.X1's password: 
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Mon Nov  4 00:48:40 2024 from 221.229.XX.X1
[monalisa@RHEL9 ~]$ logout 
Connection to 221.229.XX.X1 closed.

先修改sshd配置文件禁止密码登录，让所有用户输密码都登不上来，无论哪个端口

[root@RHEL9 ~]# grep -in passwordauth /etc/ssh/sshd_config
66:#PasswordAuthentication yes
89:# PasswordAuthentication.  Depending on your PAM configuration,
93:# PAM authentication, then enable this but set PasswordAuthentication
[root@RHEL9 ~]# sed -Ei 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
[root@RHEL9 ~]# grep -n ^PasswordAuthentication /etc/ssh/sshd_config
66:PasswordAuthentication no[root@RHEL9 ~]# systemctl reload sshd.service 
[root@RHEL9 ~]# ssh -p 62222 monalisa@221.229.XX.X1
monalisa@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[root@RHEL9 ~]# ssh -p 22222 monalisa@221.229.XX.X1
monalisa@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[root@RHEL9 ~]# ssh -p 62222 davinci@221.229.XX.X1
davinci@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[root@RHEL9 ~]# ssh -p 22222 davinci@221.229.XX.X1
davinci@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

在sshd_config文件末尾追加match规则

[root@RHEL9 ~]# cat <<EOF>> /etc/ssh/sshd_config
> Match LocalPort 22222
>     PasswordAuthentication yes
> EOF
[root@RHEL9 ~]# tail -3 /etc/ssh/sshd_config
#	ForceCommand cvs server
Match LocalPort 22222PasswordAuthentication yes

目前应该是22222端口可以密码登录，62222端口无法登录

[root@RHEL9 ~]# systemctl reload sshd.service
[root@RHEL9 ~]# ssh -p 62222 monalisa@221.229.XX.X1
monalisa@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[root@RHEL9 ~]# ssh -p 22222 monalisa@221.229.XX.X1
monalisa@221.229.XX.X1's password: [root@RHEL9 ~]# ssh -p 62222 davinci@221.229.XX.X1
davinci@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[root@RHEL9 ~]# ssh -p 22222 davinci@221.229.XX.X1
davinci@221.229.XX.X1's password: 

单独把monalisa账号加入match规则

[root@RHEL9 ~]# echo '    AllowUsers monalisa' >> /etc/ssh/sshd_config
[root@RHEL9 ~]# tail -4 /etc/ssh/sshd_config
#	ForceCommand cvs server
Match LocalPort 22222PasswordAuthentication yesAllowUsers monalisa
[root@RHEL9 ~]# systemctl reload sshd.service 

现在应该是62222端口仍没人能登录，22222端口monalisa可以密码登录，davinci不可以

[root@RHEL9 ~]# ssh -p 62222 monalisa@221.229.XX.X1
monalisa@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[root@RHEL9 ~]# ssh -p 22222 monalisa@221.229.XX.X1
monalisa@221.229.XX.X1's password: 
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last login: Mon Nov  4 02:05:21 2024 from 221.229.XX.X1
[monalisa@RHEL9 ~]$ logout
Connection to 221.229.XX.X1 closed.[root@RHEL9 ~]# ssh -p 62222 davinci@221.229.XX.X1
davinci@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[root@RHEL9 ~]# ssh -p 22222 davinci@221.229.XX.X1
davinci@221.229.XX.X1's password: 
Permission denied, please try again.
davinci@221.229.XX.X1's password: 
Permission denied, please try again.
davinci@221.229.XX.X1's password: 
davinci@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

加入davinci到match规则里

[root@RHEL9 ~]# sed -Ei 's/^(    AllowUsers monalisa)/\1 davinci/' /etc/ssh/sshd_config
[root@RHEL9 ~]# tail -4 /etc/ssh/sshd_config
#	ForceCommand cvs server
Match LocalPort 22222PasswordAuthentication yesAllowUsers monalisa davinci

测试davinci登陆结果

[root@RHEL9 ~]# systemctl reload sshd.service 
[root@RHEL9 ~]# ssh -p 62222 davinci@221.229.XX.X1
davinci@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic).
[root@RHEL9 ~]# ssh -p 22222 davinci@221.229.XX.X1
davinci@221.229.XX.X1's password: 
Register this system with Red Hat Insights: insights-client --register
Create an account or view all your systems at https://red.ht/insights-dashboard
Last failed login: Mon Nov  4 06:00:57 CST 2024 from 221.229.XX.X1 on ssh:notty
There were 8 failed login attempts since the last successful login.
Last login: Mon Nov  4 02:15:54 2024 from 221.229.XX.X1
[davinci@RHEL9 ~]$ logout
Connection to 221.229.XX.X1 closed.

控制root用户登录的默认参数为
PermitRootLogin prohibit-password
禁止密码登录，在此状态下，即使把root账户加入最后的match规则里，root账户也不能密码登录

[root@RHEL9 ~]# grep -ni root /etc/ssh/sshd_config
41:#PermitRootLogin prohibit-password
91:# the setting of "PermitRootLogin without-password".
117:#ChrootDirectory none
[root@RHEL9 ~]# sed -Ei 's/^(    AllowUsers monalisa davinci)/\1 root/' /etc/ssh/sshd_config
[root@RHEL9 ~]# tail -4 /etc/ssh/sshd_config
#	ForceCommand cvs server
Match LocalPort 22222PasswordAuthentication yesAllowUsers monalisa davinci root
[root@RHEL9 ~]# ssh -p 22222 root@221.229.XX.X1
root@221.229.XX.X1's password: 
Permission denied, please try again.
root@221.229.XX.X1's password: 
Permission denied, please try again.
root@221.229.XX.X1's password: 
root@221.229.XX.X1: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password).

最后测试确保敲开的端口20秒内可以自动关闭

[root@RHEL9 ~]# tail -f /var/log/knockd.log 
[2024-11-04 06:22] 183.208.XX.X1: opencloseSSH: Stage 1
[2024-11-04 06:22] 183.208.XX.X1: opencloseSSH: Stage 1
[2024-11-04 06:22] 183.208.XX.X1: opencloseSSH: Stage 2
[2024-11-04 06:22] 183.208.XX.X1: opencloseSSH: OPEN SESAME
[2024-11-04 06:22] opencloseSSH: running command: /usr/bin/firewall-cmd --add-rich-rule='rule family="ipv4" source address="183.208.XX.X1" port protocol="tcp" port="22222" accept'[2024-11-04 06:23] 183.208.XX.X1: opencloseSSH: command timeout
[2024-11-04 06:23] opencloseSSH: running command: /usr/bin/firewall-cmd --remove-rich-rule='rule family="ipv4" source address="183.208.XX.X1" port protocol="tcp" port="22222" accept'
[root@RHEL9 ~]# firewall-cmd --list-rich-rules[root@RHEL9 ~]# 

后续的一些问题

• 我测试的配置敲门端口的时候用6666端口失败了，本来是选的6666和7777两个端口，后来换成了7777和8888两个端口。个人认为是浏览器没有对6666端口发起连接导致的，似乎浏览器不认为6666是一个有效的端口，也有可能是别的原因。我用chrome和Microsoft Edge测试都失败了，但是之前用10000以上的端口测试都没问题，建议把端口号调大。
• 重启系统后knock server失效了，7777端口可以监听到敲门的数据，但是日志里没有反应。在重启一遍服务又恢复正常了。个人认为是因为我监听的端口是我配置的网桥WANbirdge，极有可能是knock server启动好的时候配置的网桥WANbirdge还没有启动好，导致监听不到这个网络接口。所以等到网桥启动好后，重启knock server服务又恢复正常了。因此，设置knock server延迟启动应该可以解决。如果监听物理网卡，不监听网桥，个人认为应该不会有这个问题，不需要做以下配置。

[root@RHEL9 ~]# rpm -ql knock-server | grep service
/usr/lib/systemd/system/knockd.service
[root@RHEL9 ~]# vim /usr/lib/systemd/system/knockd.service[Unit]
Description=A port-knocking server
After=network.target[Service]
#睡90秒再启动
ExecStartPre=/usr/bin/sleep 90
#避免进程因启动超时被杀掉，手动设置超时时间
TimeoutStartSec=120
Type=forking
EnvironmentFile=-/etc/sysconfig/knockd
ExecStart=/usr/sbin/knockd -d $OPTIONS[Install]
WantedBy=multi-user.target[root@RHEL9 ~]# systemctl daemon-reload 
[root@RHEL9 ~]# systemctl restart knockd.service &
[1] 4793
[root@RHEL9 ~]# watch -n3 systemctl status knockd.service 

用watch每隔3秒观察knock.service状态，由Active: activating (start-pre)变为Active: active (running)

[root@RHEL9 ~]# watch -n3 systemctl status knockd.service
Every 3.0s: systemctl status knockd.service                                                       RHEL9: Tue Nov  5 03:56:23 2024● knockd.service - A port-knocking serverLoaded: loaded (/usr/lib/systemd/system/knockd.service; enabled; preset: disabled)Active: activating (start-pre) since Tue 2024-11-05 03:55:45 CST; 37s ago
Cntrl PID: 4795 (sleep)Tasks: 1 (limit: 101263)Memory: 196.0KCPU: 1msCGroup: /system.slice/knockd.service└─4795 /usr/bin/sleep 90Nov 05 03:55:45 RHEL9 systemd[1]: Starting A port-knocking server...Every 3.0s: systemctl status knockd.service                                                       RHEL9: Tue Nov  5 03:59:06 2024● knockd.service - A port-knocking serverLoaded: loaded (/usr/lib/systemd/system/knockd.service; enabled; preset: disabled)Active: active (running) since Tue 2024-11-05 03:57:15 CST; 1min 50s agoProcess: 4795 ExecStartPre=/usr/bin/sleep 90 (code=exited, status=0/SUCCESS)Process: 4821 ExecStart=/usr/sbin/knockd -d $OPTIONS (code=exited, status=0/SUCCESS)Main PID: 4822 (knockd)Tasks: 1 (limit: 101263)Memory: 404.0KCPU: 3msCGroup: /system.slice/knockd.service└─4822 /usr/sbin/knockd -dNov 05 03:55:45 RHEL9 systemd[1]: Starting A port-knocking server...
Nov 05 03:57:15 RHEL9 systemd[1]: Started A port-knocking server.

脚本实现自动化

#rhel9knock.sh
#Date: 2024-11-04
#!/bin/bash##################################
###请根据操作系统选择配置epel源###
##################################
#rhel9配置epel源
#dnf config-manager --set-enabled crb && dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
#红帽家族9配置epel源
#dnf config-manager --set-enabled crb && dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-9.noarch.rpm
#rhel8配置epel源
#subscription-manager repos --enable codeready-builder-for-rhel-8-$(arch)-rpms && dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm
#红帽家族8配置epel源
#dnf config-manager --set-enabled powertools && dnf install https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm##################
#设置服务延时启动#
##################
#编辑/usr/lib/systemd/system/knockd.service配置knock服务延迟启动，一般用在监听的网络接口不是真实的物理网卡接口，而是网桥类的master接口的情况，如knock服务正常使用可忽略
#dnf install -y knock-server && sed -Ei.bak '/\[Service\]/a ExecStartPre=/usr/bin/sleep 90\nTimeoutStartSec=120' /usr/lib/systemd/system/knockd.service#配置：监听网卡，敲门端口1，敲门端口2，开启端口，敲击时间，连接时间,连接账户(非root)
knock_if=
knock_p1=
knock_p2=
ssh_port=
knock_time=
close_time=
ssh_user=#安装knock
rpm -q knock-server || dnf install -y knock-server#编辑/etc/knockd.conf
cp /etc/knockd.conf{,.bak}
#使用tab缩进来对其文本"\\\\t"，\t为sed里的tab缩进，单引号内需要把\转义，写为\\t,双引号内需要把两个\都转义，写为\\\\t
sed -Ei "/\[options\]/a\\\\tInterface     = ${knock_if}" /etc/knockd.conf
sed -Ei 's/(^[[:blank:]]+)UseSyslog.*$/\1LogFile       = \/var\/log\/knockd.log/' /etc/knockd.conf
sed -Ei "s/^([[:blank:]]+sequence      = ).+$/\1${knock_p1},${knock_p2}/" /etc/knockd.conf
sed -Ei "s/^([[:blank:]]+seq_timeout   = ).+$/\1${knock_time}/" /etc/knockd.conf
sed -Ei "s/^([[:blank:]]+tcpflags      = syn).+$/\1/" /etc/knockd.conf
sed -Ei "s/^([[:blank:]]+start_command = ).+$/\1\/usr\/bin\/firewall-cmd --add-rich-rule='rule family=\"ipv4\" source address=\"%IP%\" port protocol=\"tcp\" port=\"${ssh_port}\" accept'/" /etc/knockd.conf
sed -Ei "s/^([[:blank:]]+cmd_timeout   = ).+$/\1${close_time}/" /etc/knockd.conf
sed -Ei "s/^([[:blank:]]+stop_command  = ).+$/\1\/usr\/bin\/firewall-cmd --remove-rich-rule='rule family=\"ipv4\" source address=\"%IP%\" port protocol=\"tcp\" port=\"${ssh_port}\" accept'/" /etc/knockd.conf#根据SELINUX状态选择是否添加新增ssh端口的安全文本
[  "$(getenforce)"  ==  "Enforcing"  ] && semanage port -a -t ssh_port_t -p tcp ${ssh_port}#编辑/etc/ssh/sshd_config文件
sed -Ei.bak "s/\#Port 22/Port 22\nPort ${ssh_port}/" /etc/ssh/sshd_config
sed -Ei 's/#PasswordAuthentication yes/PasswordAuthentication no/' /etc/ssh/sshd_config
cat <<EOF>> /etc/ssh/sshd_config
Match LocalPort ${ssh_port}PasswordAuthentication yesAllowUsers ${ssh_user}
EOF
systemctl reload sshd.service#起动knockd.service服务
systemctl daemon-reload
systemctl enable --now knockd.service